Skip to content

[Tuning] First Time AWS Cloudformation Stack Creation by User #5036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 29, 2025
Merged

[Tuning] First Time AWS Cloudformation Stack Creation by User #5036

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ea85c8c
[Tuning] First Time AWS Cloudformation Stack Creation by User
imays11 Aug 28, 2025
77cc1df
adding highlighted fields
imays11 Aug 28, 2025
446d97f
Merge branch 'main' into tuning_cloud_formation_new_terms
imays11 Aug 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 39 additions & 25 deletions rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,17 @@
[metadata]
creation_date = "2020/07/25"
creation_date = "2024/07/25"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/08/27"

[rule]
author = ["Elastic"]
description = """
This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation
is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with
the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the
environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role
or IAM user within a particular account.
This rule detects the first time a principal calls AWS CloudFormation CreateStack, CreateStackSet or CreateStackInstances API. CloudFormation is used to create a collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage CloudFormation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior for a role or IAM user within a particular account.
"""
false_positives = [
"""
Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is
Verify whether the user identity should be using the triggered API. If known behavior is
causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to
reflect the expected frequency of known activity within a particular environment.
""",
Expand All @@ -24,12 +20,10 @@ from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "First Time AWS Cloudformation Stack Creation by User"
name = "First Time AWS CloudFormation Stack Creation"
references = [
"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/",
"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/",
"https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/",
"https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/",
"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html",
"https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html",
]
risk_score = 47
rule_id = "0415258b-a7b2-48a6-891a-3367cd9d4d31"
Expand All @@ -38,7 +32,7 @@ tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: Cloudformation",
"Data Source: CloudFormation",
"Use Case: Asset Visibility",
"Tactic: Execution",
"Resources: Investigation Guide",
Expand All @@ -48,23 +42,24 @@ type = "new_terms"

query = '''
event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
event.action: (CreateStack or CreateStackSet) and event.outcome:success
event.action: (CreateStack or CreateStackInstances)
and event.outcome:success
'''
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating First Time AWS Cloudformation Stack Creation by User
### Investigating First Time AWS CloudFormation Stack Creation

AWS CloudFormation automates the setup of cloud resources using templates, streamlining infrastructure management. Adversaries with access can exploit this to deploy malicious resources, escalating their control. The detection rule identifies unusual activity by flagging the initial use of stack creation APIs by a user, helping to spot potential unauthorized actions early.
AWS CloudFormation automates the setup of cloud resources using templates, streamlining infrastructure management. Adversaries with access can exploit this to deploy malicious resources, escalating their control. The detection rule identifies unusual activity by flagging the initial use of stack creation APIs by a user or role, helping to spot potential unauthorized actions early.

### Possible investigation steps

- Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com to identify the user or role that initiated the CreateStack or CreateStackSet action.
- Review `aws.cloudtrail.user_identity.arn` to identify the user or role that initiated the `CreateStack` or `CreateStackInstances` action.
- Verify the IAM permissions of the user or role involved in the event to ensure they have the appropriate level of access and determine if the action aligns with their typical responsibilities.
- Examine the stack template used in the CreateStack or CreateStackSet action to identify any unusual or unauthorized resources being provisioned.
- Check the event.outcome:success field to confirm the stack creation was successful and investigate any related resources that were deployed as part of the stack.
- Examine the stack template used to identify any unusual or unauthorized resources being provisioned.
- Investigate any related resources that were deployed as part of the stack.
- Correlate the timing of the stack creation with other logs or alerts to identify any suspicious activity or patterns that might indicate malicious intent.
- Investigate the account's recent activity history to determine if there have been any other first-time or unusual actions by the same user or role.

Expand All @@ -78,18 +73,37 @@ AWS CloudFormation automates the setup of cloud resources using templates, strea

### Response and remediation

- Immediately isolate the IAM user or role that initiated the stack creation to prevent further unauthorized actions. This can be done by revoking permissions or disabling the account temporarily.
- Review the created stack and stack set for any unauthorized or suspicious resources. Identify and terminate any resources that are not part of the expected infrastructure.
- Immediately isolate the IAM user or role that initiated the stack creation to prevent further unauthorized actions. This can be done by revoking permissions with a [DenyAll](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDenyAll.html) permissions policy or disabling the account temporarily.
- Review the created stack for any unauthorized or suspicious resources. Identify and terminate any resources that are not part of the expected infrastructure.
- Conduct a thorough audit of recent IAM activity to identify any other unusual or unauthorized actions that may indicate further compromise.
- If malicious activity is confirmed, escalate the incident to the security operations team for a full investigation and potential involvement of incident response teams.
- Implement additional monitoring and alerting for the affected account to detect any further unauthorized attempts to use CloudFormation or other critical AWS services.
- Review and tighten IAM policies and permissions to ensure that only necessary privileges are granted, reducing the risk of exploitation by adversaries.
- Consider enabling AWS CloudTrail logging and AWS Config rules to maintain a detailed record of all API activity and configuration changes for ongoing monitoring and compliance."""

- Review and tighten IAM policies and permissions to ensure that only necessary privileges are granted, reducing the risk of exploitation by adversaries."""

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements"
]

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
Expand Down
Loading